GDPR and CCTV: The Complete Guide to Video Surveillance Compliance

If your business has a CCTV system — whether it's a single camera over the till, a network of cameras across a warehouse, or a doorbell camera at the office entrance — you are processing personal data under GDPR.

That means you have legal obligations. Specific ones. Ones that most small business owners don't know about until a data subject asks to see their footage, or until the Information Commissioner's Office (ICO) comes knocking.

This guide covers everything you need to know: why CCTV footage is personal data, how to establish a lawful basis, when you need a Data Protection Impact Assessment (DPIA), what your signage must say, how long you can keep footage, who can view it, and how to handle DSARs and police requests.

---

Why CCTV Footage Is Personal Data Under GDPR

Under GDPR, personal data means any information that relates to an identified or identifiable natural person. CCTV footage almost always meets this definition — it captures people's faces, body language, movements, and behaviour in a way that allows them to be identified, either directly or in combination with other information (like a staff rota or loyalty card database).

The UK ICO confirmed this in its CCTV code of practice: video surveillance that captures images of individuals is personal data, and all the GDPR principles apply — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

This means you can't just install a camera and leave it running indefinitely. You need a documented basis for operating it, and you need to be able to demonstrate that basis if asked.

---

Lawful Basis for Operating CCTV

You need a lawful basis from Article 6 of GDPR for every camera you operate. For most small businesses, one of two bases will apply:

Legitimate interests (Article 6(1)(f)) is the most commonly used basis for commercial CCTV. It applies when you have a genuine business reason for the surveillance, and that reason is not overridden by the privacy rights of the people being recorded.

To rely on legitimate interests, you must complete a three-part Legitimate Interests Assessment (LIA):

1. Purpose test — identify the specific legitimate interest (e.g., preventing theft, protecting staff safety, securing company property)
2. Necessity test — confirm that CCTV is necessary to achieve that purpose, and that less privacy-intrusive measures (like improved lighting or access controls) wouldn't be sufficient
3. Balancing test — weigh your interest against the privacy impact on employees, customers, and visitors, and confirm your interest prevails

The balancing test is where businesses get caught out. You cannot rely on legitimate interests to monitor staff continuously in spaces where they have a reasonable expectation of privacy — changing rooms, toilets, and rest rooms are off-limits. Heavily surveilled workplaces where cameras monitor every movement throughout the day will face difficulty with this test.

Legal obligation (Article 6(1)(c)) applies where you're legally required to have CCTV — for example, certain licensed premises, some financial services environments, or food processing facilities where CCTV is mandated by regulation. If this is your basis, document which specific legal obligation requires the system.

Public task and vital interests apply in limited circumstances (local councils, hospitals) and are unlikely to be relevant to most small businesses.

---

When You Need a DPIA for CCTV

A Data Protection Impact Assessment (DPIA) is mandatory for processing that is "likely to result in a high risk" to individuals' rights and freedoms. CCTV frequently triggers this requirement.

You must carry out a DPIA before deploying CCTV if any of the following apply:

• Systematic monitoring of publicly accessible areas — any camera pointing at a public street, pavement, or car park
• Large-scale processing — multiple cameras covering large areas or monitoring significant numbers of people
• Use of new technologies — any system with facial recognition, behavioural analytics, automatic number plate recognition (ANPR), or AI-based features
• Monitoring employees — workplace surveillance that affects staff rights

A DPIA is a formal, documented process. It must describe the processing, assess its necessity and proportionality, identify the risks to individuals, and set out the measures you will take to address those risks. If you can't reduce risks to an acceptable level, you must consult the ICO before proceeding.

Even where a DPIA isn't strictly mandatory, it's good practice — it forces you to think through your surveillance rationale properly and creates documentation you can rely on in any dispute.

---

Signage Requirements: Informing People They're Being Recorded

You must tell people they're being recorded. This is the transparency requirement under Article 13 of GDPR, and it applies to CCTV just as it applies to a contact form on your website.

For CCTV, transparency is delivered in two layers:

Layer 1 — Prominent signs at entry points. These must be visible before a person enters the surveilled area. They should include: the name of the organisation operating the cameras, the purpose of the surveillance, and information about how to get more details (typically a privacy notice URL or contact details). They do not need to contain every detail of your privacy notice — just enough to put people on notice.

Layer 2 — Full privacy notice. This can be on your website, displayed inside the premises, or provided on request. It should cover the full Article 13 information: identity and contact details of the controller, contact details of any DPO, the lawful basis, the legitimate interests if applicable, retention periods, data subject rights, whether footage is shared with third parties, and the right to lodge a complaint with the ICO.

Signs that simply say "CCTV in operation" without any controller identity or purpose information do not meet GDPR requirements. You need to update them if that's currently all you have.

---

Data Retention: How Long Can You Keep CCTV Footage?

You cannot keep CCTV footage indefinitely. The storage limitation principle requires that personal data is kept no longer than necessary for the purpose for which it was collected.

For most commercial CCTV systems, the ICO's guidance suggests that 30 days is the standard maximum retention period for routine footage. This is the period within which most incidents that would require review of footage will come to light.

There are legitimate reasons to retain footage longer:

• Where an incident has been identified and footage is needed as evidence
• Where legal proceedings are pending or anticipated
• Where a regulatory body has issued a preservation notice
• Where a DSAR has been received and the footage is subject to the request

In these cases, you can extend retention beyond 30 days — but only for the specific footage in question, and only for as long as the specific purpose requires. General retention beyond 30 days "just in case" is not justified.

Document your retention policy. Your retention schedule should specify the standard period, the trigger events that justify longer retention, and the process for deletion when the retention period expires.

---

Access Controls: Who Can View CCTV Footage?

Not everyone in your organisation should have access to CCTV footage. The integrity and confidentiality principle requires that personal data is processed with appropriate security, including protection against unauthorised access.

For CCTV systems, this means:

• Restricting live monitoring to individuals with a documented business need — security personnel, designated managers
• Requiring authorisation for any retrospective review of recorded footage — this should be documented, including who authorised access, when, and why
• Logging access — many modern DVR and NVR systems allow you to record who has accessed footage and when; use this functionality
• Physical security — ensure recording equipment is in a locked room or cabinet, not accessible to general staff
• Limiting administrative access — only individuals who genuinely need to configure or manage the system should have administrator credentials

Where you use a third-party CCTV monitoring company, you need a Data Processing Agreement (DPA) in place with them. They are a data processor acting on your behalf, and you are legally responsible for ensuring they provide adequate data protection guarantees.

---

Handling Police and Law Enforcement Requests

You will, at some point, receive a request from the police to hand over CCTV footage. This happens frequently to businesses in premises where incidents occur.

You are not automatically obligated to hand over footage simply because a police officer asks. Equally, you are not automatically obligated to refuse. The position under GDPR is nuanced:

• Voluntary disclosure to the police is permitted under Article 6(1)(e) (public task) or under the law enforcement gateway in the Data Protection Act 2018, where the disclosure is necessary for the prevention or detection of crime
• Compelled disclosure under a court order or formal production notice must be complied with
• Informal requests should be evaluated case by case — consider whether there is a genuine crime under investigation and whether disclosure is proportionate

Best practice is to have a policy in place before a request arrives. The policy should specify: who in the organisation can authorise disclosure, the process for verifying the request is genuine (ask for a crime reference number and the officer's details), and how to document that a disclosure was made and why.

Do not delete footage after a police request has been made — that could amount to obstruction. If you receive a request while a retention period is about to expire, preserve the relevant footage pending a formal determination.

---

DSARs for CCTV Footage

Data subjects have the right to request a copy of personal data that relates to them — including CCTV footage in which they appear. This is a Subject Access Request (SAR), and you must respond within one calendar month.

CCTV DSARs are more complex than most because:

• You need to locate the footage — the requester should provide the date, time, and location so you can identify the relevant clip
• You may need to redact — if the footage contains other individuals, you must protect their privacy. This typically means blurring or pixelating other people in the footage before disclosure
• You must provide the data in a usable format — a still screenshot is usually insufficient; you should provide the footage clip in a standard video format
• You can decline if the request is excessive or manifestly unfounded — but you must be able to justify this

If providing the footage would require disproportionate effort (for example, trawling through days of footage to find a brief appearance) you can ask the requester for more information to help narrow the search. But you cannot simply refuse.

---

Body-Worn Cameras

Body-worn cameras (BWCs) are increasingly used by security staff, door supervisors, and lone workers. They raise additional GDPR considerations compared to fixed CCTV:

• They can follow individuals into spaces where fixed cameras cannot go
• The presence of a BWC may not be immediately obvious to the person being recorded
• Footage can be captured covertly if the camera is activated without the subject's knowledge

For BWC deployments, your DPIA must consider these heightened risks. Your policy should specify: when cameras must be activated, when they must be announced to the subject, how footage is downloaded and stored, and what happens to footage that captures interactions not related to the original purpose.

Staff operating BWCs must be trained on the policy. Ad hoc or personal recording by employees is not covered by your CCTV policy and should be explicitly prohibited.

---

Doorbell Cameras in the Workplace

Smart doorbell cameras — Ring, Nest, and similar consumer-grade devices — are increasingly found in small business premises. Under GDPR, they are treated no differently from fixed CCTV if they capture images of identifiable individuals.

There is an important exemption for purely domestic use (a householder monitoring their own driveway), but this does not apply in a commercial context. If your business premises has a doorbell camera:

• The footage is personal data
• You need a lawful basis
• You must have signage
• You must manage retention
• You must respond to DSARs

A further complication is that doorbell camera footage is typically stored in the cloud by the device manufacturer. Your DPA with that manufacturer (if it exists) needs to cover this data. Many consumer cloud storage agreements are not GDPR-compliant for commercial use — this is a real compliance gap that businesses often overlook.

---

CCTV Compliance Checklist

Work through this checklist to assess your current position:

Lawful basis

• [ ] Identified the lawful basis for each camera or zone of coverage
• [ ] Completed a Legitimate Interests Assessment if relying on Article 6(1)(f)
• [ ] Documented the basis in your Records of Processing Activities (ROPA)

DPIA

• [ ] Assessed whether a DPIA is required
• [ ] Completed and documented a DPIA where required
• [ ] Consulted the ICO if residual risks remain high

Transparency

• [ ] Installed prominent, visible signage at all entry points to surveilled areas
• [ ] Signage includes organisation name, purpose, and how to access full privacy notice
• [ ] Full CCTV privacy notice available (on website or in premises)

Retention

• [ ] Written retention policy specifying standard period (typically 30 days)
• [ ] Process in place for extending retention when an incident or DSAR requires it
• [ ] Automatic or scheduled deletion process in place

Access controls

• [ ] Live monitoring restricted to authorised personnel only
• [ ] Retrospective access requires documented authorisation
• [ ] Physical access to recording equipment is secured
• [ ] DPA in place with any third-party monitoring company

Law enforcement requests

• [ ] Internal policy for handling police requests
• [ ] Process for documenting disclosures
• [ ] No footage deleted following a request

DSARs

• [ ] Process for receiving and logging CCTV-related DSARs
• [ ] Capability to redact other individuals from footage before disclosure
• [ ] Response process within the one-month deadline

Special equipment

• [ ] BWC policy in place covering activation, announcement, and data handling
• [ ] Doorbell cameras registered in ROPA and covered by signage

---

Start With Your Website

CCTV is just one part of your overall data protection picture. If you operate a website alongside your physical premises, there's a good chance it's also collecting personal data — often without the clear documentation and controls you need.

Run a free scan at app.custodia-privacy.com/scan to see exactly what tracking technologies are active on your site, whether your consent management is working correctly, and where your current compliance gaps are. Results in 60 seconds.

---

This post provides general information about GDPR and CCTV compliance. It does not constitute legal advice. Requirements vary by jurisdiction and individual circumstances differ. Consult a qualified data protection professional for advice specific to your organisation.